Security Rules rule set for managed code
Applies to: 
Visual Studio 
Visual Studio for Mac
Note
This article applies to Visual Studio 2017. If you're looking for the latest Visual Studio documentation, see Visual Studio documentation. We recommend upgrading to the latest version of Visual Studio. Download it here
Use the Microsoft Security Rules rule set for legacy code analysis to maximize the number of potential security issues that are reported.
| Rule | Description |
|---|---|
| CA2100 | Review SQL queries for security vulnerabilities |
| CA2102 | Catch non-CLSCompliant exceptions in general handlers |
| CA2103 | Review imperative security |
| CA2104 | Do not declare read only mutable reference types |
| CA2105 | Array fields should not be read only |
| CA2106 | Secure asserts |
| CA2107 | Review deny and permit only usage |
| CA2108 | Review declarative security on value types |
| CA2109 | Review visible event handlers |
| CA2111 | Pointers should not be visible |
| CA2112 | Secured types should not expose fields |
| CA2114 | Method security should be a superset of type |
| CA2115 | Call GC.KeepAlive when using native resources |
| CA2116 | APTCA methods should only call APTCA methods |
| CA2117 | APTCA types should only extend APTCA base types |
| CA2118 | Review SuppressUnmanagedCodeSecurityAttribute usage |
| CA2119 | Seal methods that satisfy private interfaces |
| CA2120 | Secure serialization constructors |
| CA2121 | Static constructors should be private |
| CA2122 | Do not indirectly expose methods with link demands |
| CA2123 | Override link demands should be identical to base |
| CA2124 | Wrap vulnerable finally clauses in outer try |
| CA2126 | Type link demands require inheritance demands |
| CA2130 | Security critical constants should be transparent |
| CA2131 | Security critical types may not participate in type equivalence |
| CA2132 | Default constructors must be at least as critical as base type default constructors |
| CA2133 | Delegates must bind to methods with consistent transparency |
| CA2134 | Methods must keep consistent transparency when overriding base methods |
| CA2135 | Level 2 assemblies should not contain LinkDemands |
| CA2136 | Members should not have conflicting transparency annotations |
| CA2137 | Transparent methods must contain only verifiable IL |
| CA2138 | Transparent methods must not call methods with the SuppressUnmanagedCodeSecurity attribute |
| CA2139 | Transparent methods may not use the HandleProcessCorruptingExceptions attribute |
| CA2140 | Transparent code must not reference security critical items |
| CA2141 | Transparent methods must not satisfy LinkDemands |
| CA2142 | Transparent code should not be protected with LinkDemands |
| CA2143 | Transparent methods should not use security demands |
| CA2144 | Transparent code should not load assemblies from byte arrays |
| CA2145 | Transparent methods should not be decorated with the SuppressUnmanagedCodeSecurityAttribute |
| CA2146 | Types must be at least as critical as their base types and interfaces |
| CA2147 | Transparent methods may not use security asserts |
| CA2149 | Transparent methods must not call into native code |
| CA2210 | Assemblies should have valid strong names |
| CA2300 | Do not use insecure deserializer BinaryFormatter |
| CA2301 | Do not call BinaryFormatter.Deserialize without first setting BinaryFormatter.Binder |
| CA2302 | Ensure BinaryFormatter.Binder is set before calling BinaryFormatter.Deserialize |
| CA2305 | Do not use insecure deserializer LosFormatter |
| CA2310 | Do not use insecure deserializer NetDataContractSerializer |
| CA2311 | Do not deserialize without first setting NetDataContractSerializer.Binder |
| CA2312 | Ensure NetDataContractSerializer.Binder is set before deserializing |
| CA2315 | Do not use insecure deserializer ObjectStateFormatter |
| CA2321 | Do not deserialize with JavaScriptSerializer using a SimpleTypeResolver |
| CA2322 | Ensure JavaScriptSerializer is not initialized with SimpleTypeResolver before deserializing |
| CA3001 | Review code for SQL injection vulnerabilities |
| CA3002 | Review code for XSS vulnerabilities |
| CA3003 | Review code for file path injection vulnerabilities |
| CA3004 | Review code for information disclosure vulnerabilities |
| CA3005 | Review code for LDAP injection vulnerabilities |
| CA3006 | Review code for process command injection vulnerabilities |
| CA3007 | Review code for open redirect vulnerabilities |
| CA3008 | Review code for XPath injection vulnerabilities |
| CA3009 | Review code for XML injection vulnerabilities |
| CA3010 | Review code for XAML injection vulnerabilities |
| CA3011 | Review code for DLL injection vulnerabilities |
| CA3012 | Review code for regex injection vulnerabilities |
| CA5358 | Do Not Use Unsafe Cipher Modes |
| CA5403 | Do not hard-code certificate |